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Compliance Challenges 


CONTAIN E-pansiopor 
Industry & Regulatory 
Mandates 


: : ; NERC 
Ensuring Coverage of Technical e FISMn Cr LEE 


& Non-Technical Controls — s 

; A RE: Gandari end Thnolegy mee i Benchmarks” 
Maintaining Visibility Across — — -— 
Silos 


Due Diligence Beyond 
Regulated Environment 
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Necessities to Support Digital 
Transformation 


Complete Visibility across Business Units, Technologies, and 
Environments 


Simplified Processes, So they can focus on improving security 
rather than running products 


Flexibility options for capturing required compliance data 


Support for emerging technologies and capabilities 
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Necessities to Support Digital 
Transformation 


Tight integration across security technologies to support 
complex mandates and audit requirements 


Automation and process integration to support DevSecOps 


Comprehensive reporting against regulations, mandates & 
audit objectives 
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Qualys Security Compliance Apps 


Policy Compliance 


FIM File Integrity Monitoring 


e Security Assessment Questionnaire 
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Use Case: ISO Compliance 
via unified security program 


Customer: EU Financial institution 
Digital Transformation underway 
Leveraging ISO for control objectives company wide 
GDPR IT Security Goals as a function of ISO 


Goals 
Address ISO certification readiness as a bi-product of good 
cybersecurity practices 
Consolidated cybersecurity dashboard based on the ISO objectives 


Requires 
Security Vendor Consolidation 
Integrated Solutions 
Strong Regulatory Content 
End-End mandate reporting 
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Start with a Strong Foundation 


Asset Management Oo Technical Vulnerability 

Management o 
Restrictions on Changes 0 Access Control 
to software packages 


63 3 


Operations and Fm] Procedural Controls & e 
communications Supplier relationships 
Security 
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Continuously Assess Controls with 
Qualys Policy Compliance 


Q Define Policies and Controls m 


OMUMUOUSV ASSESS res 
Cover page Tris CIS certified policy for ‘Amazon Linux 2016" is based on the ‘CIS Amazon Linux Benchmark, 2.0.0’ The policy contains 
Sections 


E Report, Inform & Remediate 


CQ) Manage Exceptions 
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Complete Visibility 


Assessment for Out-of-band Configurations 


Expanded UDC Support 
Cloud Agent Support for OS UDC's 
Database UDC 
Windows File Content 
Command UDC 


PC Dashboard 
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Broad Technology & Control Coverage 
to support Emerging Technologies & Digital 


Transformation 
Network Devices 
Applications 
Operating Systems 


Emerging Technologies 


Containers 
Cloud Security 


Qualys Platform Security Report 
Security Gap Assessment 


cassandra 


ec» elastic 


Se kafka 
& redis 


Coming Soon: PC Dashboard & Control Search 
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Policy Compliance 2 DASHBOARD CONTROLS POLICIES SCANS REPORTS EXCEPTIONS ASSETS USERS Kuldeep jadhav (quays. kj) 


NIST Dashboard w 


CONTROL STATUS FOR NIST RELATED CONTROLS TOP FAILING NIST CATEGORIES 


M Passed: 476 


Failed: 523 
iz) BOUNDARY PROTECTION \ AUDIT GENERATION 


AUDIT EVENTS — 2 
AS “ ACCESS RESTRICTIONS FOR CH 


LEAST PRIVILEGE 


476 


Database UDC 


le SUIS ee CE lS QE 
Oracle, MongoDB 


Define DB Query (read 


only), Customizable by DB 


Version 


Set a query to return tabular 
data to evaluate (which can 


include evidence) 
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< Database UDC 
STEPS 1/3 
O covert Technology 

i Select the technology and add the default control properies. 
|) Technologies 

I 

Oracle 


Default Control Properties 


jonale 

Accounts not logged in in last 90 days should be expired 

emediation 

In User Management application, set Automated Account Expiration should be set 


to 90 days 


QL Statement 
SELECT UserlD, UserName, Role, LastLogin, AccountEnabled from UserTable 
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Define Pass/Fail Criterias 
Technology 


Microsoft SQL Server 2008 


Enabled * Boolean * 


Evaluation Criteria ^ Matches Column Criteria 


Any Row 7* Matches LastLogin Y DateTime v 


Qualys Security 
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Simplifying Processes 


Expanded Library Content 
Instance Discovery & Controls 
Migration to New UI - Up First: 
PC Dashboard 
Policy & Control Library 
Reporting 
Mandate-based Policy Configurator 


Leverage Asset Inventory for Asset 
Lifecycle Management 
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Mandate Policy Configurator 
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€ Create New: NIST 800-53 Template 


More Granular, Customizable ic 
7 : 
: o (i sssiemtornation Configure Policy 
Index the proper control objectives to their controls and values. Click on the c control 
Q N K O ] a C | V c S Security Control Families family to enter the Control editor and find the controls you want to edit 
Drat 


Custom & Library Mandates 


Queued CM - Configuration Management 


Queued CP - Contingency 


Generate Policies from Ng zs: — 


Queued MA - Maintenance 
Queued MP - Media Protection 
Mandate . P € | -—- SES i 
Queued PL - Planning 


Queued ^ PM-Program Management 


Mandate-specific Reports —  . ?**? m 


Gap Analysis Reports = NEM 
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<— Create New: NIST 800-53 Template 


STEPS 2/3 


Security Control Families 
Select all or just the security controls families you want to configure in this template. 


Basic Information 
Security Control Families 


Configure Polic 
^ y CONTROL FAMILIES: 


@ Select Families < > Minimum Security Controls 


BUILD LIST OF CONTROL FAMILIES: 
Q Search v 


10 CONTROL FAMILIES Remove all 


AC - Access Control 

AU - Audit and Accountability 
AT - Awareness and Training 
CM - Configuration Management 


CP - Contingency 


600005 0 


IA - Identification and Authentication 
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Objective: IA - Identification and Authentification CM o | 


Search Options w 


Q, Search... 


Total Control Objectives oO GC + dv 


NAME PRIORITY SECTIONS CONTROLS 
(| ^ 1A-5  Authenticator Management P1 15 384 
MINIMUM SECURITY CONTROLS The organization manages information system authenticators by: — D 


High 3.01K a. Verifying, as part of the initial authenticator distribution, the identity of the individual, 
Moderate 982 group, role, or device receiving the authenticator, 
Low 89 
IA-5(1) Authenticator Management | Password-Based Authentication 
PRIORITY (1) gement | n 6 242 
PO - Priority Level O 3.01K IA-5(2) Authenticator Management | PKI-Based Authentication 4 48 
P1 - Priority Level 1 982 
P2 - Priority Level 2 89 " : T id= : : 
P3 - Priority Level 3 D IA-5(3) Authenticator Management | In-Person or Trusted Third=Party Registration 1 
IA-5(4) Authenticator Management | Automated Support for Password Strength Determination 
TECHNOLOGY (4) g | pp gt 31 
Windows 2012 Server 25 IA-5(5) Authenticator Management | Change Authenticators Prior to Delivery 1 
Windows Server 2012 R2 16 
ERAM + 3 lA-5(6) Authenticator Management | Protection of Authenticators 8 
Docker 1.x 23 
F5 BIG-IP 11. 15 
i RENS IA-5(7) Authenticator Management | No Embedded Unencrypted Static Authenticators 4 
Y or 
IA-5(8) Authenticator Management | Multiple Information System Accounts 0 
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Objective: IA - Identification and Authentification 


11 


Total Control Objectives 


MINIMUM SECURITY CONTROLS 


High 3.01K 
Moderate 982 
Low 89 
PRIORITY 

PO - Priority Level O 3.01K 
P1 - Priority Level 1 982 
P2 - Priority Level 2 89 
P3 - Priority Level 3 89 
TECHNOLOGY 

Windows 2012 Server 25 
Windows Server 2012 R2 16 
Debian GNU/Linux 9.x 5 
Docker 1.x 23 
F5 BIG-IP 11.x 15 
y 10 more 


Q Search... 


E À lA-5 


NAME PRIORITY SECTIONS 


Authenticator Management P1 15 


The organization manages information system authenticators by: 
a. Verifying, as part of the initial authenticator distribution, the identity of the individual, 
group, role, or device receiving the authenticator, ... 


|-| IA-5(1) Authenticator Management | Password-Based Authentication 6 


The information system, for password-based authentication: 


1A-5 (1)(a) 
Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, 
mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; 


lA-5 (1)(b) 
Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined 
number] 


lA-5 (1)(c) 
Stores and transmits only cryptographically-protected passwords; 


IA-5 (1)(d) 


Enfarnae naccuinrd minimum and mavimiim lifatima ractrintinne nf [&ccinnmant: arnanisatian dafinad mimhare far lifatima minimiim 


Search Options v 


o + € 
CONTROLS 


384 


242 


36 


11 


27 


63 


© Qualys. Enterprise 


<— Controls: NIST 800-53 for Windows 


36 


Controls 


IMPACT BASELINE 
HIGH 

MODERATE 

LOW 


TYPE 


ANSSI 
Qualys 
cis 
DISA 


TECHNOLOGY 


Windows 2012 Server 
Windows Server 2012 R2 
Debian GNU/Linux 9.x 
Docker 1.x 

F5 BIG-IP 11.x 


y 10more 


3.01K 
982 
89 


3.01K 
982 


(^ 


À Search 


CID 


3376 


10734 


10965 


11468 


11524 


10911 


STATEMENT / TECHNOLOGIES 


Status of the 'Maximum Password Age' setting (expiration) 
Windows 2012 Server, Windows Server 2012 R2, Solaris 11.x 


Status of the 'number of days before a [Prompt user] password expiration warning 
prompt is displayed at login' for 'users with a password' setting 
Ubuntu 11.x, Windows 2000 Active Directory, Docker 1.x 


Status of first module for ' 
Windows 2012 Server, Windows Server 2012 R2, Solaris 11.x 


.d/password-auth' 


Status of the 'try first pass' setting for pam cracklib.so module in PAM configuration 
file '/etc/pam.d/common-password' 
Docker 1.x, Windows 2012 Server 


Status of fail interval' setting in the file '/etc/pam.d/password-auth' 
Windows 2012 Server 


Status of 'turn off certificate revocation list (CRL) checking at the Key Distribution 
Windows 2012 Server, Windows Server 2012 R2 


(CIS 


(CIS 


(CIS 


1A-5 (1)(a) 


IA-5 (1)(a) 


1A-5 (1)(a) 


IA-5 (1)(a) 


IA-5 (1)(a) 


IA-5 (1)(a) 


Search Options w 
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€ Control: Status of first module for ‘password’ stack, in file '/etc/pam.d/password-auth' 


Control Values by Technologies (3) 


LI 


EE Windows 10 


The 'Windows Firewall: Apply local connection security rules (Domain)' setting enables domain-based 
connection rules that govern IPSec connections. As this setting enables or restricts local administrative 
users from creating such local connection rules, in addition to the connection security rules in Group 
Policies, which will increase the exposure of the system to remote attacks, this should be configured 
according to the needs of the business. 


This Integer value X indicates the current status of the setting Windows Firewall: Domain: Apply local connection 
security rules using the registry key path 
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\AllowLocallPsecPolicyMer 
ge. A value of 0 indicates the setting is set to No, A value of 1 indicates the setting is set to Yes. 


No (0) 
|”! Yes (1) 
| | Key not found 


EE Windows 10 


The "Windows Firewall: Public: Logging: Name" setting is used to specify the path and name of the file in 
which Windows Firewall will write its log information. If events are not recorded it may be difficult or 
impossible to determine the root cause of system problems or the unauthorized activities of malicious 
users. It should be used according to the needs of the business. 


ABOUT CONTROL 


Status of first module for 'password' 
(as stack, in file '/etc/pam.d/password-auth' 


Last modified: Apr 12, 2017 


Identification 


Statement: 


CID: 
Baseline: 
Reference: 
Status: 


Technologies: 


Activity 


Last User Login: 


Created on: 


Last Modified on: 


Status of first module for 'password' 
stack, in file ‘/etc/pam.d/password-auth' 


10965 


17.15.2.1 


# Windows 2012 Server 
EE Windows 10 


AKCtech 
March 1, 2017 10:33 AM 


8 Mins ago 8:32 AM 


Integration Across the Platform: 
Unified Compliance Assessment 


© Qualys. Enterprise 
Compli 


liance Assessment ASSESSMENT 


Out of the box Library of Metrics 
SAQ Self-Assessments 
Vendor Risk Violations 
VM & PC Remediation SLA Failures 


Customizable! Map back to Control 
Objectives & Custom Mandates 


Result: Single Pane of Glass for Reporting 
Metrics & Compliance Violation Tracking — | | |  .,. 


‘AILURES BY APPS TOP 5 FAILING METRICS 
@ Passes O Failures 

the platform! = ^ 
celles i9) rele gig Pa pe e 
76; 62s 48% 46% Vulnerability Management - Vulnerabilities with CVSS rating 7 ormore WIB 83 
Vulnerability Management - Java Vulnerabilities 73 
Self-signed certificates 64 

VM PC CERT cv 


Defining Metrics & Mappings 


, © Quays. 
Leverages new Alerting 


feature as exposed in apps 


Rule Details 


Something about what the user will need to know about the fields below. 


D fi A N NA C @ PE Q Rule Information 
x | n = U € r y Something about what the user will need to know about the fields below. 
Action Name 


Action is Log a Compliance 
Metric 


Alert Query 


Something about what the user will need to know about the fields below. 


Metrics are then mapped to 
Control Objectives, which are 


cross-mapped to regulations = = ess 


Trigger Criteria 


vulnerabilities.vulnerability.severity: 5^ and vulnerabilities.vulnerability.patchAvailable:"true” and vulnerabilities.firstFound > now-90d 
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Security Metric Examples 


© Qualys. Enterprise 


Vulnerability Management DASHBOARD SEARCH SCANS REPORTS ASSETS KNOWLEDGEBASE USER g-frame-standard (123) 


High Severity Vulnerabilities/ em 
Patching 


FIM Incident Review Expired ae as 


C | © Uu d S a e U r | ty E O n fi g Uu ra Ik | © n Vulnerability Management - Vulnerabilities with RA-5 371248 HPE Intelligent Management Center (IMC) NEH 120 


SEVERITY CVSS rating 7 or more Multiple Vulnerabilities (HPESBHFO37... 
Issues Severty 5 an 
iM 2n Vulnerability Management - Java Vulnerabili RA-5 371090 Java Debug Wire Protocol Remote Code ENNE 132 
Severity 3 76 $ 
Severit 44 Execution Vulnerability 
Severity 2 


E X D | fé e d © 4 S a | fi= S | g n a d Né i Vulnerability Management - Java Vulnerabilities RA-5 371265 Oracle Java SE Critical Patch Update - mgmgEmH 508 


É t . f . t October 2018 

e C a e S Vulnerability Management - End of Life RA-5 370573 EOL/Obsolete Software: Apache Struts 1 e888 70 
technologies Detected 

V e n d Q 4 R | S k — F a | | Uu 4 a to Vulnerability Management - End of Life RA-5 105759 EOL/Obsolete Software: Microsoft Visual EEB 76 
technologies Studio 2008 Detected 

R e S D O n d Vulnerability Management - End of Life RA-5 105757 EOL/Obsolete Software: pfSense Version EE 44 
technologies 2.2.x Detected 

P fà Q C e d u K a | ( Q n IE fé © | G a D Vulnerability Management - End of Life RA-5 105753  EOL/Obsolete Operating System: Microsoft ENE 350 
technologies Windows 10 Version 1607 Detected 

| d = n t | f l e d Vulnerability Management - Java Vulnerabili: RA-5 22002 Oracle Database Server Java VM Remote mugmm 55 


Code Execution Vulnerability 


Vulnerability Management - Java Vulnerabilities RA-5 371035 Apache Cassandra Arbitrary Java Code BEER 20 
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Assess ALL your assets against CIS 
With Qualys Security Configuration Assessment 


Security Configuration Assessment 


Lightweight add-on to VM = 
Broad platform coverage E: —— 
Accurate controls & content NN " 
Simple assessment workflow MO |, Sooo 
Scan remotely or via agent io ey can oui mes 
Powered by the Qualys Cloud Platform sere meme «a 

D « » 


Support for NIST Reporting coming 


Introducing 


Out-of-Band Configuration Assessment 
OCA, add-on to VM/PC 
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Flexible Data Collection via — S wes EUR 
API/UI ie 


Assets v) | Actions Add Assets 


Support for Inventory, 
Pol ICY Co aa ol [a Dee E na tomem, o E se 4 «> FireEye CM! Quick Actions w COMPUTERNAME.1 N-name.here Apr 11, 2018 


FireEye App 


"m 17 74.217.73.201 wt Cisco I0S1 View Details COMPUTERNAME.1 Network.Name Apr 11, 2018 
10 host1.example.com 
2 Edit 
Acme Packet Net Platform 
74.217.73.201 =+ WebSphere Delete COMPUTERNAME.1 Another-Network Apr 11,2018 
Nue host1.example.corr 
SEVERITY 
n g 192.168.255.255 «> FireEye CMS 8.x COMPUTERNAME.1 Network Apr 11, 2018 
everity 5 124 
Severity 4 55 hosti .example.con 
Severity 3 a 
ity2 M 74.217.73.201 # DCX-85107.1.0a COMPUTERNAME. 1 US-Headquarters Apr 11,2018 
Bulk data, Automated and ud — 
J 


74.217.73.201 «e FireEye CMS 8.x COMPUTERNAME.1 Network-ong-nam... Apr 11,2018 


host1.example.com 


a u S it O | | | | Za b | e 74.217.73.201 = WebSphere Liberty 9.0 COMPUTERNAME.1 PUNE Apr 11,2018 
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Out of Band Configuration Assessment 
Large Global Bank 


Disconnected/Inaccessible systems to be a part of 
overall Vulnerability, Risk and Compliance program 


Sensitive Systems/Regulated Devices 
Legacy Systems = 
Highly locked down systems ra 
Network Appliances m 
Air-gapped Networks 
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Current Options 


Ad-hoc scripts 


Procedural controls 
(manual assessment) 


Qutside audits 


Limited software-based 
solutions 


Configuration Upload Workflow 


Push the Asset data E ia 


POST hd http://{{base_url}}/oca/v1.0/asset 
GET v http://swarmm01.p17.eng.sjc01 .qualys.com:53670/oca/v1 .0/asset/03df1 3d- 
7ab2daa34045/commands/PolicyCompliance 
. . 1-( 
2 "code": 200, 
37 "data": { 
4- "items": [ 


"version", 
6 "tsclockserver", 
"configshow -all", 
"syslogdipshow" 


11 ) 


Qualys creates agent-based OMNEA 


POST m http://((base url))/oca/v1.0/asset/03df1879-458c-495d-873d-7ab2daa34045/command/output/((type)) 
it : S : 1 5 : t . 3) Bodye 
none 4 form-data KN raw binary 
KEY VALUE DESCRIPTION 
configshow -all | Choose Files | No file chosen 
O tsclockserver... Active NTP Server 10.170.158.12.. 
version Kernel: 2.6.14.2 
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Technology Support 


VO.9 and v1.O release 
November - 2018 


FireEye Appliances 

BiglP F5 

Brocade DCX Switch 

Acme Packet Net 

Imperva Firewall 

Cisco Wireless Lan Controller 7 
Cisco UCS Server 

NetApp OnTap 

Juniper IVE 


Future Priorities 


ASSADO 

Cisco Meraki 

Sonic Firewall 

Fortinet Firewalls 

A upa WEC 

Dell EMC Data Domain 
Oracle Tape Library 
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Availability & Roadmap 


November 2018 January 2019 
v.O.9 release for limited customers Extend Support to VM 
API-based Asset and Config Data Support OCA for AS400 
Upload for PC compliance 
e e eo e 
December 2018 1H 2019 
Possible SDK route 

Ul-based Data Upload for PC Expand Platform Coverage 
Bulk asset data upload (CSV) CMDB Integration 


Integration with AssetView FIM Integration 


© Qualys. 
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Integrity Monitoring 


jo! track file changes across global IT 


Validating Integrity 


Why do organizations need File 
Integrity Monitoring solutions? 


Change control enforcement 
Compliance & audit requirements 
Explicit mandates like PCI 
Security best practices 
Compromise detection 


Qualys File Integrity Monitoring (rm 


Real-time detection 


Built on the Qualys Cloud Agent 


Easy to install, configure and 
manage 


No expensive infrastructure to 
deploy 


ent T 
e Datei 
Om a ur Hi 
<\aindons\s ia agarrar 
" i i 
eitmintomi topotointaz au THU M 
COUT pr 
\wedows wyste porá 
un 
Anirem syste 
"ir 
system ss 
apte $ 
ndas ri r 
ste 
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Use Gase: 


File Integrity Monitoring for PCI 


Customer: Retail 
Distributed network environment that benefits from cloud-based model 
20k+ Windows systems 
Large Linux back end infrastructure on-prem and in the cloud 


Goals 
Monitor for change control enforcement 
PCI auditor requirements 


Requires 
Scalable, cloud-based solution 
Hands-off management of distributed agents 
VM+PC+FIM at the Point of Sale 
Broad Linux platform support 
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FIM Challenges 


Deciding what depth to monitor 
Tuning out noise, but not missing important events 
Scalability of legacy solutions 


Meeting auditor event review requirements 
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What Are Customers Monitoring? 


Critical Operating System Binaries 


OS and Application Configuration Files 3 
Content suchras uv elbisol e z - 
Permissions (such as on Database Stores) o” = = 


Security Data (Logs, Folder Audit - 2 == 
ne = sem = 


User & Authentication Configurations  — ENERaaa 
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Focus for 2019 


Simplest tuning in the industry! 


Secondary Event Filtering and Automated 
Correlation 


API access to data 

Rule-based Alerting 

Reporting 

Expanded data collection & whitelisting 
features 

Expanded Platform Support 
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File Integrity Monitoring 


FIM Feature Roadmap 


G4 2018 QT 2019 
19 2.1 
Incident Management UI & Workflow 


Agent Health UI Improvements 
Tune from Event View 
Initial Reporting - Change Incident Report 
Monitoring Profile Editor Phase || 


Show 
Improvements 


Library Improvements 
FIM Mgmt API features 
External Change Control Integration 


Late Q4 2018/Early Q1 2019 Q2 2019 
1.10 2.2 
Incident List API Process Whitelisting 
Incident-Event List API Dashboard Expansion & 
Event Query API AssetView Integration 


Management Queries API 


2.0 

Automated Incident Correlation 
Expand Reporting 

Basic Notification 


Q3 2019 
2.3 


File Text Change Details 


Windows Registry Change Detection 
Monitoring Profile Import/Export 
Streaming Event AP 
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Assess Procedural Controls with 
Security Assessment Questionnaire 


© Quays 
€ New Template 


Cloud-Based Questionnaires 


Visually design questionnaires Ez 


Assign assessment leveraging 
embedded workflow 


Intuitive response 
Track using an operational dashboard 
Review answers and evidences 
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One of the biggest Financial Institutions 


Assesses their Internal Procedural 
and Process controls 


Need to comply with number of 
International and regional mandates/ 
standards. 


They understand >50% compliance 
requirements are related to 
assessing processes and procedures 


Important that Respondents find 
it easy and make the collected 
data actionable 


ES 


Took 2 hours to rebuild Excel 
based 76 question assessment 
using web-based UI and Out- 
of-box Rich content 


Dashboards the process 
deficiencies and risk posed by 
Internal controls failure 


Consolidates the Internal 
procedural control posture 
with Technical compliance 
controls 
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New-age Vendor Assessment 
Challenges 


Extend the Perimeter to include vendors 
- security & vulnerability data collection 


| SOURCE OF FINANCIAL 
| ATTACK IMPACT 


REPUTATIONAL 
IMPACT 


$200 million 
in costs (to date) 


Vendor Profiling based on the services, 


d $2-3 billion 


Vendor Assessment based on criticality 


imated $3 billion 
charges 


Vendor control data aggregation with 
Internal security and compliance data 


T- -Mobile | 


Automated workflow, operational 
dashboards 


SSI 


BREACH ORIGIN 
Direct Third 
Breach Parties 


30% 


© 
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One of the biggest pharmaceutical companies 


Assessing their vendor risk through 


SAQ 


© 


Vendors Profiling — Defines 
Criticality based on Service 
areas/Cybersecurity domains 


Uses out-of-the-box 
content, including regional 
mandates 


Easy online workflow for the 
vendors, receives reminders, 
alerts and status 


EZ 


Assesses vendors per their 
risk profile, in a 
standardized (SIG) manner 


Dashboards the risk posed 
by the highly critical 
vendors and ranks thern 
per risk 


Consolidates the vendor 
control posture with Internal 
procedural & technical 
compliance controls 
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Rich Template Library 


PC 


G 


SWIFT 


Industry 


DSS SAQ A, 


T for SOX 


BA 


BASEL 3 (IT) 
PAA 
TRUST 
ERC CIP v5 


RC CIP 


B, C, D 


Popular Standards 


SO 27001-2013 ISMS 
IST CSF 

COBIT 5 

FedRAMP 

COSO 

TIL 

CIS TOP 20 Controls 


Shared Assessment (SIG) 
*- vendor assessment 


Regional 


GDPR 


Abu Dhabi Info Sec 
Standards 


ANSSI (France) 

AS IBTRM (Singapore) 
BSP (Philippines) 

BSI Germany 

SM (Australia) 

UK Data Protection 

RBI Guidelines (India) 
California Privacy** 


Canada Data Protection 
2018** 


Technical Services 


CSA CAIQ v3.0.1 

CSA CCM v3.0.1 

Vendor Security for 
Hosting Service Provider 
AWS ** 

Procedural controls for 
cloud, containers** 
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SAQ Roadmap 


Q3 2018 Q1 2019 


User/Role/Privilege Management Vendor-driven workflows to cater to customers 
Question Bank - Create answer bank, 
Create template from - Upload customer required templates 
library templates - Match on Keywords 
New campaign UI - Metrics, Dashboards on risk posed to my customers 


Risk scoring 


Q4 2018 


SAQ Lite - for PCI users 
Vendor Risk Management workflows 
- Vendor Onboarding, Profiling 
- Automated assessment based on Vendor 
profiles/onboarding 
- Compare vendors based on risk scores 
- Dashboards on total Vendor risk/Trending/ 
Top 5 risky vendors 


* Roadmap items are future looking; timing and 
specifications may change 
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In the world where everyone is a vendor of someone 
SAQ Feature coming up in Q1: Answer bank 

Technology company wants to understand Risk posed to the 
customers 


Q 


Receives 100s of questionnaires 
from their customers and 
answers them offline, through 


spread-sheets 
Want to understand the top 


(o Costly & resource-intensive ta) failing, passing cybersecurity 


to respond and gains no areas/ answers to improve 
— visibility into risk intelligence their own internal controls 


Want to understand What risk 
they pose to their critical 
customers 


W 


Wants to drive the vendor-management project 
to showcase their good security practices and use 
the data for contract negotiation 
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Security Assessment Questionnaire 
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Thank You 


Tim White 
twhite@qualys.com 


